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DETAILED ACTION 



1 . Currently pending claims are 1 - 35. 

Response to Arguments 

2. Applicant's arguments with respect to the subject matter of the instant claims have been 
fully considered but are not persuasive. 

3. As per claim 1 , Applicant argues: "Grootwassink does not teach in a service access 
provider, ... receiving an access request from a client access device". Examiner disagrees 
because Grootwassink teaches the mobile unit sends a registration request to a serving MSC 
when roaming into a VLR (Grootwassink: Column 5 Line 35 - 47 and Column 4 Line 12-20: 
Examiner notes (a) a VLR is interpreted as a first service access provider and (b) the 
registration to a VLR is just like a log-in process for accessing to a computer system and hence 
is equivalent to access request to a VLR, which can allow or denies the service request 
accordingly (Grootwassink: Column 4 Line 20)). 

4. Furthermore, Applicant argues: "Grootwassink does not teach establishing a 
communications link with the client access device to authenticate and authorize the user". 
Examiner disagrees because Grootwassink teaches establishing a communications link so that 
the wireless unit can present its identification (e.g., MIN / ESN) for the VLR to authenticate the 
mobile unit, which can allow or denies the service request accordingly; otherwise, the whole 
system can not operate properly (Grootwassink: Column 2 Line 47 - 67 and Column 4 Line 12 - 
20). 
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Claim Rejections - 35 USC § 102 
The following is a quotation of the appropriate paragraph of 35 U.S.C. 102 that forms the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed in the 
United States before the invention by the applicant for patent or (2) a patent granted on an application for patent by 
another filed in the United States before the invention by the applicant for patent, except that an international application 
filed under the treaty defined in section 351 (a) shall have the effects for purposes of this subsection of an application filed 
in the United States only if the international application designated the United States and was published under Article 
21(2) of such treaty in the English language. 

5. Claims 1 - 3, 6, 9, 13, 14 and 30 are rejected under 35 U.S.C. 102(e) as being 
anticipated by Grootwassink (U.S. Patent 7,031,705). 

As per claim 1 and 30, Grootwassink teaches a method comprising: 

performing, in a service access provider, operations including: 

receiving an access request from a client access device (the mobile unit sends a 
registration request to a serving MSC when roaming into a VLR (Grootwassink: Column 5 Line 
35 - 47 and Column 4 Line 12 - 20: Examiner notes (a) a VLR is interpreted as a first service 
access provider and (b) the registration to a VLR is just like a log-in process for accessing to a 
computer system and hence is equivalent to access request to a VLR, which can allow or 
denies the service request accordingly (Grootwassink: Column 4 Line 20)), the access request 
requesting access to a network, wherein a user associated with the client access device is a 
subscriber of a second service access provider (Grootwassink: Column 2 Line 47 - 67: a HLR 
is qualified as a second service access provider while a VLR as a first service access provider); 

establishing a communications link with the client access device to authenticate and 
authorize the user (Grootwassink: Column 2 Line 47 - 67); 
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receiving client device configuration data from the client access device over the 
communications link during an authentication and authorization exchange (Column 5 Line 35 - 
47, Column 2 Line 63 - 67 / Line 48 - 62 and Column 5 Line 3-10: Examiner notes the 
broadest and reasonable claim interpretations are made, according to MPEP 2111, such that a 
registration information is interpreted as a part of the device configuration data); 

transmitting the client device configuration data destined for the second service access 
provider, wherein the second service access provider is operable to process the client device 
configuration data (Grootwassink: Column 2 Line 47 - 67); and 

selectively granting the client access device access to the network based upon the client 
device configuration data (Grootwassink: Column 2 Line 43 - 54 / Line 63 67); and 

receiving an indication about whether the client access device is granted access to the 
network, the indication originating from the second service access provider (Grootwassink: 
Column 2 Line 63 - 67 and Column 3 Line 2-4: the grant indication originating from the HLR 
(i.e. the second service access provider) and accessing the network via the VLR of the local 
network). 

As per claim 2, Grootwassink teaches processing the client device configuration data 
includes determining if the client device configuration data meets predetermined security 
requirements (Grootwassink: Column 2 Line 63 - 67). 

As per claim 3, Grootwassink teaches determining if the client device configuration data 
meets predetermined security requirements includes comparing the client device configuration 
data with reference configuration data (Grootwassink: Column 2 Line 63 - 67). 
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As per claim 6, Grootwassink teaches the establishing of the communications link with 
the client access device includes, communicating an agent to the client access device, the 
agent operable to identify the client device configuration data and to communicate the client 
device configuration data to a server of the network (Grootwassink: Column 2 Line 47 - 67 and 
Column 5 Line 6-10: the VLR communicates the client configuration data with the HLR). 

As per claim 9, Grootwassink teaches the establishing of the communications link with 
the client access device includes communicating a command set, which includes at least one 
command, to the client access device, the command set operable to identify the client device 
configuration data and to communicate the client device configuration data to a server of the 
network (Grootwassink: Column 2 Line 47 - 67 and Column 5 Line 6 - 10: a command set, for 
example, is to find out the wireless unit's identification (or registration information)). 

As per claim 13, Grootwassink teaches after establishing communications with the client 
access device, authenticating a user associated with the client access device (Grootwassink: 
Column 2 Line 47 - 67 and Column 5 Line 6-10). 

As per claim 14, Grootwassink teaches authenticating the user includes verifying user 
login information associated with the user attempting access to the network (Grootwassink: 
Column 2 Line 20 - 25 and Column 5 Line 6-10). 



Application/Control Number: 10/821,313 Page 6 

Art Unit: 2131 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

A person shall be entitled to a patent unless - 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 
of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject 
matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art 
to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was 
made. 

6. Claims 4, 5, 7, 8, 10 - 12, 15 - 29 and 31 - 35 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Grootwassink (U.S. Patent 7,031,705), in view of Albert et al. (U.S. 
Patent 2003/0177389). 

As per claim 16, Grootwassink teaches a system to verify configuration data of a client 
access device requesting access to a network, the system comprising: 

a first service access provider (Grootwassink: Column 2 Line 33 - 46: a VLR is qualified 
as as a first service access provider), coupled to a network, to establish a communications link 
to the client access device to receive, from the client access device, authentication information 
for a user associated with the client access device (Grootwassink: Column 5 Line 35 - 47 and 
Column 2 Line 63 - 67) and to receive the configuration data from the client access device over 
the communications link during an authentication and authorization exchange (Grootwassink: 
Column 5 Line 35 - 47, Column 2 Line 63 - 67 / Line 48 - 62 and Column 5 Line 3-10: 
Examiner notes the broadest and reasonable claim interpretations are made, according to 
MPEP 21 1 1 , such that a registration information is interpreted as a part of the device 
configuration data); and 
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a second service access provider to receive the authentication information and the 
configuration data from the first service access provider, to process the configuration data, and 
to selectively grant the client access device access to the network based upon the configuration 
data (Grootwassink: Column 2 Line 63 - 67 and Column 3 Line 2 - 4: the grant indication 
originating from the HLR (i.e. the second service access provider) and accessing the network 
via the VLR of the local network). 

However, Grootwassink does not teach processing the configuration data includes 
determining if the configuration data meets predetermined security requirements. 

Albert teaches processing the configuration data includes determining if the 
configuration data meets predetermined security requirements (Albert: Para [0066], [0025], 
[0072] and [0085] - [0098] & Figure 3: the corporate security policies that are predefined and 
assigned to the user are typically downloaded to the user's device from an integrity server). 

It would have been obvious to a person of ordinary skill in the art at the time the 
invention was made to combine the teaching of Albert within the system of Grootwassink 
because (a) Grootwassink teaches providing a security validation for a roamer including 
personal communication service (PCS) units in a wireless network (Grootwassink : Column 1 
Line 25 - 28 / Line 34 - 40 and Column 2 Line 6-10) and (b) Albert teaches providing 
enhanced authenticating method by using the security enforcement module that applies access 
security policy for regulating access at a client device including mobile computer users in a 
wireless network (Albert: Para [0008] Line 4 - 13 and Para [0024]). 

As per claim 32 and 34, Grootwassink teaches a method to manage access to a network 
from a client access device, the method comprising: 
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requesting access to the network, the requesting involving a first service access provider 
and a second service access provider (Grootwassink: Column 5 Line 35 - 47 and Column 2 
Line 33 - 67: a HLR is qualified as a second service access provider while a VLR as a first 
service access provider); 

authenticating a user associated with the client access device in an authentication and 
authorization exchange, wherein the user is a subscriber of the second service access provider 
(Grootwassink: Column 5 Line 35 - 47 and Column 2 Line 33 - 67: the user is a subscriber of 
the HLR); 

communicating client device configuration data to the second service access provider 
via the first service access provider (Grootwassink: Column 5 Line 35 - 47, Column 2 Line 63 - 
67 / Line 48 - 62 and Column 5 Line 3-10: Examiner notes the broadest and reasonable claim 
interpretations are made, according to MPEP 2111, such that a registration information is 
interpreted as a part of the device configuration data); 

receiving a verification response from the second service access provider via the first 
service access provider (Grootwassink: Column 2 Line 63 - 67: the indication originating from 
the HLR (i.e. the second service access provider)); and 

if the user is authenticated and the verification response from the second service access 
provider indicates acceptance of the client device configuration data, accessing the network via 
the first service provider (Grootwassink: Column 2 Line 63 - 67 and Column 3 Line 2-4: the 
grant indication originating from the HLR (i.e. the second service access provider) and 
accessing the network via the VLR of the local network). 

However, Grootwassink does not teach processing the configuration data, by the second 
service access provider, wherein processing configuration data includes determining if the 
configuration data meets predetermined security requirements. 
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Albert teaches processing the configuration data, by the second service access provider, 
wherein processing configuration data includes determining if the configuration data meets 
predetermined security requirements (Albert: Para [0066], [0025], [0072] and [0085] - [0098] & 
Figure 3: (a) the corporate security policies that are predefined and assigned to the user are 
typically downloaded to the user's device from an integrity server and (b) HLR is the home 
service provider (i.e. 2 nd service provider) of the mobile unit and evidently the HLR can include 
"the integrity server" (as taught by Albert) for enhanced security check of configuration data - 
This is also consistent with the disclosure of the instant specification that indicates including a 
configuration server (i.e. integrity server) to process the client device configuration data such 
that it can determine if the configuration data meets predetermined security requirements 
(SPEC: PG-PUB / Para [0013])). 

Same rationale of combination applies herein as above in rejecting the claim 16. 

As per claim 4 and 19, Grootwassink does not disclose expressly the second service 
access provider is further operable to update the client device configuration data if the client 
device configuration data fails to meet the predetermined security requirements. 

Albert teaches the second service access provider is further operable to update the 
client device configuration data if the client device configuration data fails to meet the 
predetermined security requirements (Albert: Para [0066], [0025], [0072] and [0085] - [0098] & 
Figure 3: the corporate security policies that are predefined and assigned to the user are 
typically downloaded to the user's device from an integrity server). 

Same rationale of combination applies herein as above in rejecting the claim 16. 
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As per claim 5 and 20, Grootwassink as modified teaches selectively granting the client 
access device access to the network includes, denying access to the network if the client 
device configuration data is not updated (Albert: [0066] & Figure 3: the last sentence). 

As per claim 7 and 22, Grootwassink does not disclose expressly if after the processing 
of the client device configuration data the client device configuration data requires an update, 
using the agent to update the client access device with updated configuration data. 

Albert teaches if after the processing of the client device configuration data the client 
device configuration data requires an update, using the agent to update the client, access 
device with updated configuration data (Albert: Para [0066], [0025], [0072] and [0085] - [0098] 
& Figure 3: the corporate security policies that are predefined and assigned to the user are 
typically downloaded to the user's device from an integrity server). 

Same rationale of combination applies herein as above in rejecting the claim 16. 

As per claim 8 and 23, Grootwassink as modified teaches after updating the client 
access device, receiving an update result indicator from the agent to confirm that the 
configuration of the client access device has been updated (Albert: Para [0072]). 

As per claim 10 and 25, Grootwassink does not disclose expressly if after the processing 
of the client device configuration data the client device configuration data requires an update, 
using the command set to update the client access device with updated configuration data. 

Albert teaches if after the processing of the client device configuration data the client 
device configuration data requires an update, using the command set to update the client 
access device with updated configuration data (Albert: Para [0066], [0025], [0072] and [0085] - 
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[0098] & Figure 3: the corporate security policies that are predefined and assigned to the user 
are typically downloaded to the user's device from an integrity server). 

Same rationale of combination applies herein as above in rejecting the claim 16. 

As per claim 1 1 and 27, Grootwassink as modified teaches the command set further 
includes a first command set to identify and communicate the client device configuration data to 
the server (Grootwassink: Column 2 Line 47 - 67 and Column 5 Line 6 - 10: a command set, 
for example, is to find out the wireless unit's identification (or registration information)), and a 
second command set to update the client access device with the updated configuration data 
((Albert: Para [0066], [0025], [0072] and [0085] - [0098] & Figure 3: the corporate security 
policies that are predefined and assigned to the user are typically downloaded to the user's 
device from an integrity server). 

As per claim 12 and 26, Grootwassink as modified teaches after updating the client 
access device, receiving an update result indicator from the client access device to confirm that 
the configuration of the client access device has been updated (Albert: Para [0096] - [0098] & 
Figure 3). 

As per claim 15, 29 and 31, Grootwassink does not disclose expressly the client device 
configuration data includes at least one of virus definition data, firewall configuration data, and 
operating system configuration data. 

Albert teaches the client device configuration data includes at least one of virus definition 
data, firewall configuration data, and operating system configuration data (Albert: Para [0090]: a 



Application/Control Number: 10/821,313 Page 12 

Art Unit: 2131 

message sent by the of client security module is a "firewall" event control related configuration 
data) 

Same rationale of combination applies herein as above in rejecting the claim 16. 

As per claim 17, Grootwassink as modified teaches processing the client device 
configuration data includes determining if the client device configuration data meets 
predetermined security requirements (Grootwassink: Column 2 Line 63 - 67). 

As per claim 18, Grootwassink as modified teaches determining if the client device 
configuration data meets predetermined security requirements includes comparing the client 
device configuration data with reference configuration data (Grootwassink: Column 2 Line 63 - 
67). 

As per claim 21, Grootwassink as modified teaches the establishing of the 
communications link with the client access device includes, communicating an agent to the 
client access device, the agent operable to identify the client device configuration data and to 
communicate the client device configuration data to a server of the network (Grootwassink: 
Column 2 Line 47 - 67 and Column 5 Line 6-10: the VLR communicates the client 
configuration data with the HLR). 

As per claim 24, Grootwassink as modified teaches the establishing of the 
communications link with the client access device includes communicating a command set, 
which includes at least one command, to the client access device, the command set operable 
to identify the client device configuration data and to communicate the client device 
configuration data to a server of the network (Grootwassink: Column 2 Line 47 - 67 and 
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Column 5 Line 6 - 10: a command set, for example, is to find out the wireless unit's 
identification (or registration information)). 

As per claim 28, Grootwassink as modified teaches after establishing communications 
with the client access device, authenticating a user associated with the client access device 
(Grootwassink: Column 2 Line 47 - 67 and Column 5 Line 6-10). 

As per claim 33 and 35, Grootwassink does not disclose expressly prior to receiving a 
verification response, updated configuration data is received from the network access system to 
replace the client device configuration data. 

Albert teaches prior to receiving a verification response, updated configuration data is 
received from the network access system to replace the client device configuration data (Albert: 
Para [0066] Para [0097] and [0098]: the integrity server updates and installs the security 
policies on the client device and may deny the client's access to the network if the required 
security policy or module is not subsequently activated by the client device). 

Same rationale of combination applies herein as above in rejecting the claim 16. 
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Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as 
set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the mailing date 
of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to Longbit Chai whose telephone number is 571-272-3788. The examiner 
can normally be reached on Monday-Friday 9:00am-5:00pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz R. Sheikh can be reached on 571-272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you 
would like assistance from a USPTO Customer Service Representative or access to the 
automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 




Longbit Chai 
Examiner 
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